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(54) n/lethod for removing funds from a postal security device 



(57) A nielhod for removing postal fuxte from a 
postage meter (10) provides an accounting unit (20) of 
a postage meter (10) witfi irxiicium-related irrformation 
whicfi is invalid for mailing. The accounting unit (20) 
generates a digital signature, wtiicti is an encrypted 
value of tfie postal funds removed from the postage 
meter (1 0) and otf^er postal data including the indicium- 
related information. The accourrting unit (20) through a 
Host PC (12) sends to a data center (5) the amount of 
the postal funds renmed from the postage meter (10) 



and the digital signature. The data center (5) verifies 
tfiat the digital signature has been generated using the 
indicium-related information. The meter (10) is disat>led 
when ttte digital signature cannot t>e verified. When the 
digital signature is verified a request for a refund is serrt 
t>y the data center (5) to a postal authority. An exanrple 
of the indicium-related information is an invalid destina- 
tion postal code or an invalid origination postal code. 
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Description 

[0001] The present invention relates generally to a 
method for renioving funds from a postage meter and, 
more particularly, to such method for removing funds s 
from a postal security device coupled to a personal 
computer. 

[0002] The Information-Based Indicia Program 
("IBIP'O is a distributed tn^ed system proposed by the 
United States Postal Sennce ("USPST to retrofit and io 
augment existing postage meters using new technology 
known as information-based indicia. The program relies 
on digital signature techniques to produce for each 
envelope an indicium whose origin cannot be repudi- 
ated and content cannot be modified. IBIP is expected 75 
to support new methods of applying postage in addition 
to the cun-ent approach, which typically relies on a post- 
age meter to mechanically print indicia on mailpieces. 
IBIP requires printing a large, high density, twodimen- 
sbnal (^-D1 bar code on a mailpiece. The 2-D bar 20 
code encodes infonnation and is signed with a cfigital 
signatura 

[0003] The USPS has published draft specifications 
lor IBIR The INFORMATION BASED INDICIA PRO- 
GBAM (IBIP) INDICIUM SPECIFICATION, dated June 2s 
13, 1996, and revised July 23, 1997, flBIP Indidum 
Specif icationi d^ines the proposed requirenmnts for a 
new indicium that will be applied to mail being proc- 
essed using IBIR The INFORMATION BASED INDICIA 
PROGRAM POSTAL SECURITY DEVICE SPECIFICA- 30 
TION. dated June 13. 1996. and revised July 23, 1997, 
("IBIP PSD Specification") defines the proposed 
requirements for a Postal Security Device f PSD") tfiat 
will provide security services to support the creation of 
a new "information based" postage postmark or indi- 3S 
dum that will be applied to mail being processed using 
IBIR The INFORMATION BASED INDICIA PROGRAM 
HOST SYSTEM SPECIFICATION, dated October 9, 
1 996. d^ines the proposed requirements for a host sys^ 
tern element of IBIP ("IBIP Host Specrftcation"). The 40 
specifications are collectively referred to herein as the 
"IBIP Specifications". IBIP indudes interfadng user 
(user), postal and vendor infrastructures which are the 
system elements of the progranx The INFORMATION 
BASED INDICIA PROGRAM KEY MANAGEMEhfT 4S 
PLAN SPECIFICATION, dated April 25, 1997. defines 
the generatioa distritxition^ use and replacement of the 
cryptographic keys used by the USPS product^service 
provider and PSDs ("IBIP KMS Specification"). 
[0004] The user infrastructure, which resides at the so 
user's site, comprises a PSD coupled to a host system 
("Host! with printer. The PSD is a secure processor- 
based accounting device that dispenses and accounts 
for postal value stored therein. 

[0005] The IBIP Indidum Specification provides ss 
requirements for the indidum that corrsists of both 
human-readat)le data and PDF417 bar code data. The 
human-readat)le information indudes an originating 



address, induding the 5<ligit ZIP Code of ttie licensing 
post office, PSD ID/Type number, date of mailing and 
amount of the applied postage. The bar code region of 
the indidum elements indudes postage amount, PSD 
ID, user ID. date of mailing, originating address, destina- 
tion delivery point identification, ascending arxJ 
descending registers and a digital signature. 
[0006] An integrated mailing system is subject to open 
system requirements if it includes a computer interfaced 
to the meter and it prepares mailpiece fronts or labels 
tiiat indude both the destination address and the indi- 
dum. The integrated system is an open system even if 
different printers apply the address and the indidum. If 
the mailing system satisfies such criteria, the USPS 
considers the "meter" to be an open system peripheral 
de^ce that performs the dual functions of printing the 
indicia and interfadng the PSD to the Host. The inte- 
grated mailing system must be approved by the USPS 
according to open system criteria. 
[0007] The IBIP Host Specrftcation sets forth the 
requirements for a Host in an open system. The Host 
produces the mailpiece front induding the retum 
address (optional), the delivery address (required), the 
Fadng Identification Mark ("FIM"), and the indidum as 
an integral unit. The Host may print this unit on the 
actual mailpiece stock or lafc>el(s) for later attachnrient to 
the mailpieca The Host provides the user with an option 
to omit the FIM (ag., when the FIM is preprinted on 
envelopes). The Host produces standardized 
addresses, induding standard POSTNET delivery pdnt 
bar code, for use on the mailpiece. The Host verifies 
each address at the time of mailpiece creation. The 
Host then creates the incfdum and transmits it to the 
printer. 

[0008] The IBIP Specifications define a stand^one 
open metering system, refenred to herein as a PC Meter 
or Stand-ak>ne PC Meter. The Stand^one PC meter 
has one persorial conrputer ("PCO which operates as 
the Host (Host PC"). The Host PC runs the ntetering 
application software arxJ associated libraries (collec- 
tively referred to herein as "Host Applications" and "PC 
Meter Toolkit^ arxi conrtmunicates with one or more 
attached PSDs. The Stand-alone PC Meter can only 
access PSDs coupled to the Host PC. There is no 
renmte PSD access for the Stand-alone PC Meter. 
[0009] The Stand-alone PC Meter processes transac- 
tions lor dispensing postage, registration, and re^'ll on 
the Host PC. Processing is performed kx;ally between 
the Host and the PSD coupled thereto. Connections to 
a Data Center, for example for registration and refill 
transactions, are made locally from the Host through a 
local or network modem/intemet connection. Account- 
ing for debits and credits to the PSD are also performed 
locally, logging tiie transactions on the Host PC, which 
^ the PC where the transactions are processed on and 
to whk;h the PSD is attached. Thi^ the accounting of 
funds and transaction processing are centralized on a 
single PC. The Host PC may acconmodate more than 
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one PSD, for example supporting one PSD per serial 
port Several application progranis running on the Host 
PC, such as a word processor or an envelope designer, 
may access the Host metering software. 
[0010] It is expected that once IBIP is launched, the s 
volume of meters will increase signiflcantty when the 
PC-t>ased meters are introduced. Such volume 
increase is expected in the small office and tK>me office 
(SOHO) market The IBIP Specifications address and 
resolve issues which minimize if not eliminate USPS io 
risks regarding security and fraud. However, as with any 
system implemented on a non-secure device, such as a 
personal computer, implementation of an IBIP system 
may have inherent security weaknesses that coukJ t>e 
exploited by sophisticated users intent on defrauding 75 
the USPS. 

[0011] The IBIP Specifications do not specify any 
method for the removal of funds from the PSD, such as. 
safely sending funds to the Data Center when a PSD is 
taken out of service. Contrarily. the IBIP Host and PSD 20 
Specrficatbns do not permit the zeroing of registers, 
which is comnm practice in current Pitn^ Bowes 
meters (except for the Personal Post Office^ digital 
meter as descrit>ed t>elow). It is anticipated that the 
remcval of funds from a PSD wouM t>e accomplished 25 
using conventional methods. 

[0012] Historically, mechanical postage meters that 
are being taken out of service have to be physically 
retumed to the Post Office, opened and registers 
zeroed. TTiis method has drawk)acks, the most stgnifi- 30 
cant of which is the possibility of theft of an active n^er 
and also the inconvenience of making the retum. 
[001 3] Today, when a conventional electronic postage 
meter is taken out of service, a vendor servk^e repre- 
serrtative retrieves the postage meter from a customer. 35 
and contacts the Data Center's vok;e response unit or 
VRU. The servk^e representative enters a special 
rec^est code for zeroing the meter's registers and 
sends the recpjest to the Data Center. The Data Center 
generates a combination code, for example, a 4 digit 40 
code as opposed to the standard 6 digit code. The serv- 
ice representative enters ttie combination code into the 
postage meter with an amount of ".00** to indcate to the 
postage meter that a special register dear operation is 
to be performed. The postage meter then resets the 45 
roasters of the meter to 0. 

[0014] This is not a very secure metfKxi. since it relies 
on the customer sendee representative to be accurate 
in reading the registers and putting that information cor- 
rectiy into a corrputer or on a piece of paper for manual so 
processing. The postage meter, however, serves as a 
backup to tfiis process by hokiing a history of past reg- 
isters in memory. The manual nature of this process can 
lead to potentially inrproper or disputed refurxl amounts. 
[0015] In the Personal Post Offk^e digital meter, an ss 
improvement was made to the existing process. A cus- 
tomer who no longer desires the product or is getting a 
new meter places a call to the Data Center. The Data 



Center, knowing that the meter is in a pending with- 
drawal status, sends a commarxj to the meter request- 
ing that a debit be made to tiie meter for an amount 
equal to that of the current descending register. The 
meter, upon receipt of the command, debits for the 
appropriate anxHint and generates a digital signature, 
also referred to herein as a token, for the mailpiece that 
woukJ have t>een printed if the deduction was to occur 
on a mailpiece. The digital token and other information 
that wouM have been printed on the mailpiece are sent 
to the Data Center for verrfk;ation to ensure ttiat ttie 
meter properly deducted tiie appropriate funds. How- 
ever, it shoukJ t>e noted that tiie digital token is gener- 
ated in exactly the same way as for a valkl mailpiece. 
Therefore, by intercepting, for exarrple by listening, to 
the communk;ations with the Data Center, it wouM be 
po6sit)le for an attacker to obtain valkl digital tokens. 
These tokens and associated postal information couM 
be imprinted on a mailpiece. thus giving the attacker 
free postage. The anKXjnt of free postage could be sig- 
nificant, ag.. for pnority mail mailpiece. The attacker 
couM also print an indidum and bring the indicium to the 
Post Offtoe for a refund. 

[0016] It has been fourxJ tfiat the present invention 
eliminates a window of opportunity for an attacker to 
intercept and use information vaiki for postage evkienc- 
ing. The present invention provides a better security 
method to upload postage to the Data Center in open 
system meters. \Aftien a PSD is taken out of service, a 
call is placed to the Data Center. After thie client estab- 
lishes corrtact with the Data Center, the Data Center 
sends a command to the client to extract tiie funds in 
the PSD. The client requests a debit from the PSD equal 
to the amount of the current descending register value, 
and supplies the PSD with an invaiki destination zip 
code (such as "0000000000") or other invalkj input data. 
whk;h cannot t>e used to print valid mailpieces. The 
PSD debits the descending register, aedits the ascend- 
ing register and generates a digital signature using the 
invalid destination zip code. The digital signatore is sent 
to the Data Center for verification that the funds have 
been truly extracted from the PSD. 
[0017] The method of the present invention for the 
open system PSD woukJ be similar to that previously 
descrfoed for the Personal Post Offk^e digital meter 
(Data Center commarxJing client to debit for amount of 
DR. with resulting postal data sent to Data Center for 
verifkiation), witii the exception that the client software 
running on the PC would supply an invalid mailing zip 
such as "00000000000" or "99999999999" in ttie PSD's 
debit command. This inrprovement in accordance with 
the preserrt invention prevents the gerierated PSD dig- 
ital signature from being used on a mailpiece. because 
tiie destination zip code used to produce the digital sig- 
nature would rx>t match any valid destination address. A 
mailpiece with an invaiki destination zip code would t>e 
detected during mailpiece verification by the Post 
Offk;& This couM be further strengthened because the 
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PSD could actually receive non-numeric data (i.e.; 
ASCII character codes) for this process. 
[0018] Other alternatives such as placing the destina- 
tion zip code off the Pitney Bowes Data Center, 
"06926070001", are possible. This, however, is a valid 
niailing zip and therefore a user could use the informa- 
tion to send mail to Pitney Bowes in similar feshion to 
the Personal Post Office digital meter nrtethod descnt>ed 
atxive. 

[0019] Currently, the choice of invalid destination zip 
code is left tp to the client Alternativety, the Data 
Center can supply the invalid destination zip code or 
other invalid data to use for the funds withdrawal rather 
than the client hardcoding the answer. This would allow 
for the Data Center to change between one or more 
invalid zip codes for added security. 
[0020] The present invention provides a method for 
removing postal funds from a postage meter. The 
method includes providing an accounting unit off a post- 
age meter with indicium-related infbmiation which is 
invalid for mailing. The accounting unit generates a dig- 
ital signature, which is an erKxypted value of the postal 
funds remcved from the postage meter and other postal 
data including the indicium-related information. The 
accounting unit through a Host PC sends to a data 
center the aaxHjnt of the postal funds removed from the 
postage meter and the digital signature The data center 
verifies that the digital signature has been generated 
using the indicium-related information. The meter is dis- 
abled when the digital signature cannot be verified. 
When the digital signature is verified a request for a 
refund is sent by the data center to a postal authority. An 
example of the indidunrwelated information is an invalid 
destination postal code or an invalid origir^on postal 
code. 

[0021] The above and other objects and advantages 
of the present invention will be apparent upon consider- 
ation of the following detailed desctption, taken in Gor>- 
juTYCtion with accompanying drawings, in which like 
reference characters reler to Hke parts throughout, and 
in whk:h: 

Rg. 1 is a bkx;k diagram of a prior art open m^er- 
ing system; and 

Rg. Z 'tsa fk3w chart of the process for removing 
funds from a PSD in accordance with an embodi- 
ment off the present invention. 

[0022] In describing the present invention, reference 
is made to the drawings, wherein there is seen in Rg. 1 
a block diagram of an IBIP open metering system, also 
referred to herein as a PC meter system, generally 
reffen^ed to as 1 0. The PC meter system includes a con- 
ventional personal computer (PC) 12, including display 
and k^tx>ard (not shewn) configured according to the 
IBIP Specifications to operate as a Host PC to a periph- 
eral metering devrce, i.e., the PSD, generally referred to 
as 20, in which postage funds are stored. Coupled to 



Host PC 12 is a conventional printer 24, which is prefer- 
ably a laser or ink-jet prirrter. The IBIP open metering 
system 10 uses Host PC 12 and its printer 24 to print 
postage on envelopes at the same time it prints a redp- 

5 ienf s address or to print labels for pre-addressed return 
envelopes or large maiipieces. It will be understood tiiat 
although the preferred embodiment of the present 
invention is descrit>ed as a postage metering system, 
the present invention is applicable to any value metering 

10 system that includes transaction evidencing using an 
unsecured printer. 

[0023] Host PC 1 2 includes a conventional processor, 
such as tiie Pentium processors manufactured by Intel, 
and conventional hard drive, floppy drfve(s), and mem- 
75 ory PSD 20 is a microprocessor-t>ased secure enayp- 
tion device for postage funds management, signature off 
postal data and traditional accounting functions. Host 
PC 12 also includes a modem 28 by which the Host PC 
communicates with a Postal Service or a Data Center 5, 
20 typically managed by a postal authenticating verxlor, for 
recharging furvis (debit or credit). In an altemate 
embodiment (not shewn) the modem may be located in 
PSD 20. In yet another altemate embodiment commu- 
nication with Data Center 5 may be through the internet. 
25 [0024] In addition to running application programs 32. 
Host PC 12 processes tiie functions for PSD registra- 
tion. PSD r^l. and postage dispensing transactions for 
PSD 20. Processing is performed locally by metering 
software 30 (referred to herein as "PC Meter Toolkit^ 
30 running in Host PC 102. In the preferred embodiment, 
the PC Meter Toolkit 30 is a Component Object 
Model/Distritxited Component object Model 
(COM/DCOM) object (typically implemented as a 
dynamic link library (DLL) or OLE controO with inter- 
as faces to perform metering operations. An example off a 
PC metering system using a DLL with interfaces to per- 
form metering operations is desait>ed in European Pat- 
ent Application Na EP-A-0780809. filed December 19. 
1996. 

40 [0025] Referring now to Rg. 2. there is seen a method 
for removing funds from PSD 20. At step 100, the PSD 
initiates a funds debit by contacting the Data Center. At 
step 105, the Data Center resporxJs with an audit 
request. At step 1 10, the meter perfonms an audit off its 

45 registers and sends the results of the audit to the Data 
Center. At step 1 1 5, the Data Center verifies the results 
off the audit If the results are verified, then, at step 120, 
the Data Center requests from the meter an indicium 
including a digital signature using an invalid postal code 

50 arxl tiie amount of the descending register off the PSD. 
In the preferred embodiment wfiile an invalid postal 
code is sent to the PSD, it should be noted tfiat any data 
which wouM produce an indicium that is invalid for mail- 
ing coukj be used. For example, any data used in the 

56 generation off the digital signature or token, such as 
invalid origin zip or date, coukJ be used. If the results are 
not verified, then, at step 145, the Data Center sends a 
disak>le message to the PSD, and at step 1 50, the meter 
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is disabled. 

[0026] At step 125. in response to the Data Center's 
request for an Indicium, the meter generates an indi- 
cium and sends it to the Data Center. It is noted that the 
meter does not generate an indicium image in response s 
to the Data Center's request, but does generate and 
send to the Data Center data that would be included in 
the indicium image. The steps of generating an indicium 
include debiting the descending register and crediting 
the ascending register for the amount of the funds io 
renrwed from the PSD. At step 130, the Data Center 
determines is the received indicium can be verified. If 
the indicium can be verified, then, at step 135, the Data 
Center serxls a request to the postal authority for a 
refund to the customer's account for an amount equal to 75 
the descending register as provided in the indictura At 
step 140, The Data Center determines wh^er the 
PSD should t>e disabled, for example, if the descending 
register has been cleared. If the PSD should t>e disa- 
bled from step 1 40, or if the indicium cannot be verified 20 
at step 130, then, at step 145, the Data Center serxis a 
disable message to the PSD, and, at step 150. the 
meier is cOsabled. If. at step 140. the meter should not 
t>e disabled, for exarrple, if the descending regstered 
has not t>een cleared as in the case of a partial refund, 25 
then the meter continues normal processing. 
[0027] The present invernion has been descn*bed for 
an open system meter, such as defined by the IBIP 
Specificatior^ It will be understood that the present 
invention is also suitat)le for closed system cfigrtal 30 
meters, such as the previously noted Personal Post 
Office digital meter, using invalid or Data Center-sup- 
plied origin postal or date of mailing information. 
[0028] It will be understood that although the embodi- 
ment of the present invention is descrbed for a postage 3s 
metering system, the present invention is appticat)le to 
any value metering system that includes transaction evi- 
dencing, such as nrmetary transactions, item transac- 
tions and infomnation transactions. Such value metering 
systems, for example a tax meter, would use invalid or 40 
Data Center-supplied tnfonmation, such as an invalid 
date. 

[0029] While tfie present invention has been disclosed 
and described with referer)ce to the embodiments 
hereof, it will be apparent, as noted above, ftisi varia- 45 
tions and modifications may be made therein. It is, thus, 
intended in the following claims to cover each variation 
and modification that falls within the true spirit and 
scope of the present invention. 

50 

Claims 

1. A metfKxl for renrK>ving postal funds from a postage 
meter, the method comprising the steps of: 

55 

providing the accounting unit (20) of a postage 
nteter (10) with indicium-related information 
which is invalid for mailing; 



generating (125) a digital signature, said digital 
signature being an encrypted value of the 
postal funds removed from the postage meter 
(10) and other postal data indudng said indi- 
dum-related information; 
sending (125) to a data center (5) the anrK>unt 
of the postal furxis removed from the postage 
meter (10) and the digital signature; and 
verifying (130) at the data center (5) that the 
digital signature has been generated using the 
indicium-related information. 

2. The method of Claim 1 conrprising the further steps 
off: 

disat)ling (150) the meter (10) when the digital 
signature cannot be verified; and 
sending (135) a request for a refund to a postal 
autfK>rity when the digital signature is verified. 

3. The m^od of Claim 1 or 2. wherein the indicium- 
related information is an invalid destination postal 
code. 

4. The m^hod of Claim 1 or 2, wherein the indicium- 
related infomnation is an invalid origination postal 
coda 

5. The m^hod of Claim 1 wherein the data center (5) 
provides the indicium-related information to the 
postage meter (10). 

6. A method for removing funds from a transaction evi- 
dencing device, the method comprising the steps 
of: 

providing the accounting unit (20) of a transac- 
tion evidencing device (10) with transaction- 
related information which is invalid; 
generating (125) a digital signature, said digital 
signature t>eing an encrypted value off the 
funds removed from the transaction evidencing 
device (10) and other data including said trans- 
action-related information; 
serxling (125) to a data center (5) the amount 
of the funds renrxived from the transaction evi- 
dencing device (10) arxJ the digital signature; 
and 

verifying (130) at the data center (5) that the 
digital signature has been generated using the 
transaction-related information. 

7. The method of Claim 6 comprising the further steps 
off: 

disabling (150) the transaction evidendng 
device (10) vthen the digital signature cannot 
be verified: and 
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sending (135) a recfuest for a refund to a trans- 
action authorrty when the digital signature is 
verih'ed. 

8. The method of Claim 6 or 7, wherein the transac- s 
tion-related information is an Invalid date. 

9. The nfiethod of Claim 6, 7 or 8. wherein the transac- 
tion eviderK;ing device (10) is a tax meter. 

10 

1 0. The method of Claim 6 wherein the data center (5) 
provides the transaction-related information to the 
transaction etndendng device (10). 



IS 



20 



25 



30 



35 



40 



45 



SO 



55 



6 



EP0927g56A2 



o 

CM 




CM 



7 



EP0927 956A2 



METER 



PATA CENTER 



100- 



INITIATES FUNDS DEBIT BY 
CONTACTING DATA CENTER 



110 — 



DATA CENTER RESPONDS 
WITH AUDIT REQUEST 



105 



PERFORMS AUDIT AND 
SENDS RESULT TO DATA 
CENTER 




125 — 



REQUEST INDICIUM WITH 
INVAUD POSTAL CODE FOR 
AMOUNT OF DR 



— 120 



CREATE INDiaUM AND SEND 
TO DATA CENTER 




SEND REQUEST TO POSTAL 
AUTHORITY FOR REFUND 



140 



OOKTMUENCRMM. 




— 135 



SEND DISABLE MESSAGE TO 
PSD 



145 



150 — 



DISABLE PSD 



FIG. 2 



8 



